b'      U.S. DEPARTMENT OF THE INTERIOR\n      OFFICE OF INSPECTOR GENERAL\n\n                            EVALUATION REPORT\n\nMOVING TO A CUSTOMER-CENTERED\nWEB PRESENCE\n\n\n\n\n                           Report No. 2003-I-0051\n                                        June 2003\n\x0c\x0c                                                                          A-IN-MOA-0008-2003\n\n\n\n            United States Department of the Interior\n                                Office of Inspector General\n                                   134 Union Boulevard, Suite 510\n                                     Lakewood, Colorado 80228\n\n\n                                                                                              7430\n\n                                                                                     June 9, 2003\n\n\nMemorandum\n\nTo:      Chief Information Officer, Department of the Interior\n\nFrom:    Diann Sandy\n         Manager, National Information Systems Office\n\nSubject: Evaluation Report on Moving to a Customer-Centered Web Presence\n         (Report No. 2003-I-0051)\n\n     The subject report presents the results of our evaluation of the Department of the Interior\xe2\x80\x99s\n(DOI) management and control of its Web sites. Although DOI has made some recent\nimprovements, much remains to be accomplished. Specifically, the Department needs to\nmanage its Web sites more efficiently, cost-effectively and securely; adhere to Federal laws and\nregulations; and focus on its customers.\n\n      We identified a framework for improvement based on practices employed by other Federal\nand state agencies as well as standards established by the Office of Management and Budget,\nthe National Institute of Standards and Technology, and industry. We recommend that DOI\nimplement a plan, using the framework described in this report, to improve management of its\nweb sites. Please provide a written response to the report by July 15, 2003.\n\n     The legislation, as amended, creating the Office of Inspector General requires that we\nreport to the Congress semiannually on all reports issued, actions taken to implement our\nrecommendations, and recommendations that have not been implemented.\n\n     We appreciate the cooperation provided by all DOI staff during our evaluation. If you\nhave any questions regarding this report, please call me at (303) 236-9243.\n\x0c\x0c        MOVING TO A CUSTOMER-CENTERED WEB PRESENCE\n                                                   TABLE OF CONTENTS\n\nCHALLENGES FACING THE DEPARTMENT OF THE INTERIOR ........................................ 1\n\n          NUMBER OF WEB SITES NOT CONTROLLED ......................................................................... 1\n          SECURITY NOT ADEQUATE ................................................................................................... 6\n          WEB SITES NOT COMPLIANT WITH FEDERAL LAWS AND REGULATIONS ............................. 8\n          WEB SITES NOT FOCUSED ON CUSTOMERS ......................................................................... 9\n\nBUILDING ON DOI\xe2\x80\x99S EFFORTS ................................................................................... 13\n\n          WEB PRESENCE ACTIVITIES ............................................................................................... 13\n          MORE NEEDS TO BE DONE ................................................................................................ 14\n\nFRAMEWORK FOR IMPROVEMENT ............................................................................. 15\n\n          STARTING THE MANAGEMENT AND CONTROL PROCESS ............................................. 15\n          MOVING TO A CUSTOMER-CENTERED WEB PRESENCE ...................................................... 17\n          ENHANCING SECURITY ....................................................................................................... 21\n\nRECOMMENDATION ................................................................................................................... 22\n\nAPPENDICES\n          APPENDIX 1, EVALUATION SCOPE AND METHODOLOGY .................................................... 23\n          APPENDIX 2, DIAGRAM OF THE DEPARTMENT OF THE INTERIOR\xe2\x80\x99S\n           WEB PRESENCE ............................................................................................................... 25\n          APPENDIX 3, DEPARTMENT OF THE INTERIOR\xe2\x80\x99S\n           \xe2\x80\x9cOTHER\xe2\x80\x9d WEB SITES ........................................................................................................ 27\n          APPENDIX 4, SCORECARD OF THE DEPARTMENT OF THE INTERIOR\xe2\x80\x99S\n           WEB SITES ...................................................................................................................... 28\n\nGLOSSARY OF TERMS USED .................................................................................................... 31\n\x0c\x0c MOVING TO A CUSTOMER-CENTERED WEB PRESENCE\nCHALLENGES FACING THE\nDEPARTMENT OF THE INTERIOR\nThe Department of the Interior (DOI) needs to take charge of its Web presence (use of the\nInternet through World Wide Web technology and commonly referred to as the Web) to:\n\n      \xc2\xbe   Control the current unmanaged growth of Web sites;\n      \xc2\xbe   Reduce security risks;\n      \xc2\xbe   Comply with Federal requirements such as those governing privacy; and\n      \xc2\xbe   Focus on its customers - citizens, businesses, other government entities, and internal\n          users.\n\n                                         NUMBER OF WEB SITES NOT CONTROLLED\n\n                                   DOI needs to reign in the proliferation of its Web sites to assure\n                                   that Web site content and information are coordinated among\n                                   bureaus and offices to minimize duplication, inconsistency, and\n                                   redundancy of information. We found that DOI does not have a\n                                   comprehensive inventory of its Web sites or of other components\n                                   of its Web presence. (See Appendix 2 on page 25 for a diagram of\n                                   DOI\xe2\x80\x99s Web presence). Using software (Web crawler) that\n                                   automatically fetches Web sites, we estimated that DOI currently\n                                   has approximately 31,000 Web sites presenting between 3 to 5\n                                   million pages of information. Figure 1 shows the percentage of\n                                   Web sites maintained by major components of DOI. Appendix 3\n                                   on page 27 provides information on the sites classified as Other\n                                   DOI Web Sites identified in Figure 1.\n                                                                 USGS\n                                                                  43%\n\n\n\n                           USBR                                                 BLM\n                            2%                                                  4%\n\n\n                          Other\n                       DOI Web\n                           Sites\n                           15%                                              Departmental\n                                                                              Offices\n                                   OSM                                         5%\n                                    1%                             FWS\n                                                     MMS\n                                                                   26%\n                                                      1%\n                                          NPS\n                                          3%\n\nFigure 1. Distribution of DOI\xe2\x80\x99s Web Presence.\n\n\n                                                                                                        1\n\x0c                               To provide a sense of DOI\xe2\x80\x99s Web sites and pages, we mapped,\n                               using a Web crawler, a portion of DOI\xe2\x80\x99s home page and site, as\n                               shown in Figure 2.\n\n\n\n\nFigure 2. Snapshot of a Portion of DOI\xe2\x80\x99s Web Presence.\n\n\n\n\n                                                                                                2\n\x0c                                   We researched industry standards and practices and analyzed the\nANNUAL SPENDING                    cost of current DOI contracts for outsourcing and maintaining\nESTIMATED BETWEEN                  Web sites to develop our cost estimate for annually maintaining\n$110 MILLION TO                    DOI\xe2\x80\x99s Web presence. Our research of industry indicated that the\n$220 MILLION                       average cost to operate and maintain a Web site is generally\n                                   between $100,000 to $200,000 annually. The $100,000 cost is for\n                                   basic sites that have no supporting database, limited storage\n                                   requirements, few individuals posting to the Web, and one\n                                   domain1. The average cost increases to $200,000 annually based\n                                   on the complexity of the site and the numbers of individuals\n                                   posting information. For extremely complicated sites, the costs\n                                   could reach $500,000. These figures include the costs of\n                                   acquiring:\n\n                                        \xc2\xbe Information technology resources, such as computer\n                                          hardware and software, necessary to operate and secure\n                                          Web sites and internal networks.\n\n                                        \xc2\xbe Human resources needed to design, maintain, and control\n                                          Web site content and information and to manage Web-\n                                          related hardware and software.\n\n                                   Costs for DOI contracts ranged from $55,000 annually (for\n                                   managing content, interfaces to other Web sites, and access to a\n                                   third-party Web server) to $200,000 (for content management for\n                                   mapping and geographic information capabilities and databases).\n                                   DOI\xe2\x80\x99s contracts did not always include costs for hardware and\n                                   software to operate its Web sites.\n\n                                   We conservatively estimated, based on 1,100 domains, that DOI\xe2\x80\x99s\n                                   annual cost to operate and maintain its Web presence is $110\n                                   million. Using a less conservative basis of $200,000 per domain,\n                                   DOI\xe2\x80\x99s annual cost could be as high as $220 million.\n\n                                   DOI has an excessive amount of duplicated, inconsistent,\nCONTENT NOT                        outdated, and redundant information on its Web sites. For\nCONTROLLED                         example:\n\n                                        \xc2\xbe On the Office of Aircraft Services Web site, www.oas.gov,\n                                          chapters of the Departmental Manual, Code of Federal\n                                          Regulations, and Office of Management and Budget\n                                          circulars, bulletins, and memoranda are duplicated rather\n\n1\n  A domain is a set of network addresses that is organized in levels. The top level identifies purpose commonality\n(for example, the organization that the domain covers such as \xe2\x80\x9c.gov\xe2\x80\x9d). The second level identifies a unique place\nwithin the top level domain and is equivalent to a unique address (such as \xe2\x80\x9cdoi.gov\xe2\x80\x9d) on the Internet. Lower levels\non the domain may also be used (such as \xe2\x80\x9csmis.doi.gov).\n\n\n                                                                                                                      3\n\x0c   than the Office of Aircraft Services creating links to the\n   sites that maintain these documents, such as DOI\xe2\x80\x99s Web-\n   based electronic library (http://elips.doi.gov).\n\n\xc2\xbe On a Bureau of Land Management\xe2\x80\x99s Web site,\n  inconsistent information is provided to customers on the\n  procedures to apply for adopting a wild horse or burro.\n  On one Web page, the customer is informed that the\n  application form could be downloaded, printed and\n  completed, and mailed to the appropriate Bureau office or\n  that the customer could apply online for adopting a horse\n  or burro using the Internet. On another Web page, the\n  customer is informed that he or she would have to contact\n  the applicable Bureau field office to request the\n  application form.\n\n\xc2\xbe We found that DOI Web sites were out dated or did not\n  indicate whether the site was actively maintained,\n  therefore not assuring that the information presented is\n  current and relevant. For example, 8 sites had not been\n  updated for more than a year and 27 sites did not indicate\n  the date the site was last updated.\n\n\xc2\xbe Redundant information on the same DOI activities is\n  located on numerous DOI Web sites and pages. We\n  performed key word searches on bureaus\xe2\x80\x99 and offices\xe2\x80\x99\n  Web sites of selected activities that were identified on\n  DOI\xe2\x80\x99s home page. The analysis, as presented in Figure 3,\n  showed that information on the same topic is presented on\n  hundreds and thousands of Web sites by the seven major\n  bureaus and offices.\n\n\n\n\n                                                                4\n\x0c                                             Number of Sites and Pages by Bureau\n                                             With Information on the Same Activity\n DOI BUSINESS ACTIVITY       OSM          MMS       USGS           BOR      NPS     BLM        FWS\nEndangered Species           125          103       1,154           294    1,000+   3,776     1,000+\nFisheries                      0            0        2,892         287      892     2,096     1,000+\nHabitat Conservation           0            0         288           13      42       421      1,000+\nWildlife                      384          209      87,063         701     1,000+   14,942    1,000+\nPlants                        204          312      25,978         760     1,000+   4,554     1,000+\nGround Water Resources         15           3       48,271          32      49        0          0\nWater Supply                  149          10        4,755         1,260    683      417        748\nWater Reclamation and\n                               5            0          5            45      10        2         20\nReuse\nOil and Gas                    50          530       3,422          0       298     6,431       872\nPetroleum                      35          238       5,283          64      363      855        445\nHelium                         0            0         598           0       52       201         0\nHydroelectric                  0            0        1,031         547      315      109        356\nRenewable Energy               0            0         49            7       98        72        23\nEnergy Resources               37          44        2,012          5       74       206        45\n\nFigure 3. Results of Queries on Bureaus\xe2\x80\x99 and Offices\xe2\x80\x99 Web Sites.\n\n                                   Web sites and links were not available as presented. For example:\nPROFESSED\nINFORMATION NOT                       \xc2\xbe Web sites that were no longer accessible by the customer\nALWAYS AVAILABLE                        were not removed. For example, instead of being linked\n                                        to the selected information, customers visiting\n                                        www.doi.gov/searchall.html were informed that the Web\n                                        site was no longer available and to notify a Web master of\n                                        the problem. Although we brought these problems to the\n                                        attention of Web masters, such as webteam@nbc.gov,\n                                        links to these Web sites were not removed.\n\n                                      \xc2\xbe Links to Web sites resulted in the customer receiving\n                                        notice that the site could not be found. For example, on\n                                        DOI Web site, www.doi.gov/business, we were not able to\n                                        access five Web sites under the National Business Center.\n\n                                   We believe these problems can be attributed to the fact that DOI\n                                   has inadequate and inconsistent configuration and content\n                                   management controls. We noted that DOI has not assigned\n                                   responsibility for managing Web content to ensure that\n                                   information is properly and consistently presented and that\n                                   information is not duplicated.\n\n\n\n                                                                                                       5\n\x0cFurther, we found that there was limited coordination between\nWeb site managers to ensure that links to other Web sites and\npages were available and for periodically testing linked Web sites\nfor availability.\n\n                            SECURITY NOT ADEQUATE\nDOI does not have adequate security to safeguard its Web\npresence and its networks. We ascribed this condition to the lack\nof uniform Web security policies, procedures, and controls and\nthe lack of standard configuration management. This increases\nDOI\xe2\x80\x99s security risks. For example, we found that:\n\n   \xc2\xbe Individuals could identify network devices from the\n     Internet by using readily available network surveying\n     software tools. This increases the ability of individuals to\n     compromise these devices and obtain unauthorized access\n     to DOI\xe2\x80\x99s networks. For instance, using one of these tools,\n     we identified the following devices in three of the Bureau\n     of Land Management\xe2\x80\x99s networks:\n\n       o   2 Web servers\n       o   2 E-mail servers\n       o   6 firewalls\n       o   12 File Transport Protocol servers\n\n   \xc2\xbe Web sites maintained by or for third parties did not have\n     adequate security safeguards. DOI has no specific policy\n     or control technique for outsourcing or hosting Web sites\n     or restricting the registration of domains outside of the\n     government domains (\xe2\x80\x9c.gov\xe2\x80\x9d or \xe2\x80\x9c.fed.us\xe2\x80\x9d). When DOI\n     sites are hosted on thirty party networks or when DOI\n     hosts third parties\xe2\x80\x99 Web sites, there is little assurance that\n     an interconnection between the third parties\xe2\x80\x99 networks and\n     DOI\xe2\x80\x99s networks is not created. Security risks increase\n     under these types of arrangements and should be mitigated\n     through safeguards specified in contractual agreements.\n     We identified:\n\n       o Web sites that were hosted by commercial third parties\n         and were not within the government domains. For\n         example, a National Park Service Web site,\n         www.windowsintowonderland.org, is hosted on a\n         commercial third-party\xe2\x80\x99s server. In addition, the site\n         was not under DOI\xe2\x80\x99s control because the site was not\n         operating on a DOI IP (Internet Protocol) address.\n\n\n                                                                      6\n\x0c   o Web sites that were hosted by commercial third parties\n     and were within the government domains did not have\n     contractual agreements. As such, DOI lacks assurance\n     that its Web sites were protected from access from the\n     multiple other Web sites that were operating on the\n     third-party\xe2\x80\x99s server. For example, Bureau of Land\n     Management\xe2\x80\x99s \xe2\x80\x9cAdopt a Horse\xe2\x80\x9d Web site,\n     www.adoptahorse.blm.gov, was managed by a\n     contractor and was hosted on a third-party\xe2\x80\x99s server but\n     a contract did not exist for the hosting services.\n\n   o DOI was hosting Web sites for not-for-profit\n     organizations, which may not be bound by the same\n     security requirements as the Federal Government. For\n     example, the Bureau of Reclamation hosted the Platte\n     River Endangered Species Partnership\n     (www.platteriver.org) and the Geological Survey\xe2\x80\x99s\n     Northern Prairie Wildlife Research Center hosted six\n     not-for-profit sites including the North American\n     Reporting Center for Amphibian Malformations\n     (www.npwrc.usgs.gov/narcam). This increases the\n     risk to DOI\xe2\x80\x99s networks because third parties have\n     access to update their Web sites.\n\n\xc2\xbe DOI was posting sensitive information on its Web sites.\n  For example, the Minerals Management Service had\n  information related to vulnerabilities of Supervisory,\n  Control and Data Acquisition systems for offshore oil and\n  gas production.\n\n\xc2\xbe Numerous types of Web server software with various\n  versions and updates were operating throughout DOI.\n  This increases the risk to DOI networks because known\n  vulnerabilities in older versions of the software may not\n  have been mitigated. Also, it creates inefficiencies in\n  configuration management because each Web server\xe2\x80\x99s\n  software must be individually evaluated, tested, and\n  updated. In addition, DOI\xe2\x80\x99s ability to consolidate servers\n  for central management and control may be inhibited\n  because of these differences. Using network-surveying\n  tools we identified that DOI has approximately 500 Web\n  servers. We also obtained information on 405 of these\n  servers indicating that DOI has at least three major types\n  of Web server software with multiple versions of each\n  type, as shown in Figure 4.\n\n\n\n\n                                                               7\n\x0c                                                         Netscape-Enterprise\n          Apache                  Microsoft IIS\n                                                                Server\n   Current Version: 2.0.45     Current Version: 5.0       Current Version: 6.1\n     Versions Installed         Versions Installed         Versions Installed\n   1.1.1       1.3.26                   3                         2*\n   1.2.5       1.3.27                   4                         3.6**\n   1.2.6       1.3.9                    5                         4\n   1.3.11      1.3a.1                                             4.1\n   1.3.12      1.3b6                                              6.0\n   1.3.17      2.0.39\n   1.3.19      2.0.40\n   1.3.20      2.0.42                                 * Netscape-Fastrack\n                                                      **Service Pack (SP) levels applied\n   1.3.22      2.0.43                                 from no SP to SP3\n   1.3.23      2.0.44\n\nFigure 4. Sample of Web Server Software Installed on DOI Web Servers.\n\n                          \xc2\xbe DOI Web server configurations (file structures) could be\n                            mirrored using network-surveying software, such as a\n                            Web crawler. This is a problem because information on\n                            Web server configuration allows an individual to easily\n                            determine specific vulnerabilities and launch attacks\n                            against Web sites. In addition, it allows Web files that\n                            were not intended to be used by customers to be at risk of\n                            disclosure and misuse.\n\n                                        WEB SITES NOT COMPLIANT WITH\n                                       FEDERAL LAWS AND REGULATIONS\n\n                     DOI\xe2\x80\x99s Web sites do not always comply with Federal laws and\n                     regulations pertaining to the privacy of its customers and\n                     accessibility to information by persons with disabilities. For\n                     example, we found that:\n\n                          \xc2\xbe At least one Web site (pages www.blm.gov/nstc/soil/\n                            Kids/adopt.html and www.blm.gov/nstc/soil/Kids/\n                            gallery.html) was not in compliance with the Children\xe2\x80\x99s\n                            Online Privacy Protection Act [15 U.S.C. Chapter 91 \xc2\xa7\n                            6502]. Specifically, the site did not require children under\n                            the age of 13 to obtain parental consent before submitting\n                            requested personal information.\n\n                          \xc2\xbe Three Web sites that issued persistent cookies (small Web\n                            server files stored on customers\xe2\x80\x99 computers) had no\n                            documented approval for use of these cookies, and only\n                            one of these sites disclosed the use of persistent cookies.\n\n\n\n\n                                                                                           8\n\x0c   \xc2\xbe Eight of the nine primary access points (DOI and bureaus\n     home pages) do not meet all the requirements of Section\n     508 of the Rehabilitation Act Amendments of 1998 [29\n     U.S.C. \xc2\xa7 794 (d)]. These requirements include providing\n     access to electronic information to employees and other\n     individuals with disabilities.\n\n      WEB SITES NOT FOCUSED ON CUSTOMERS\nDOI\xe2\x80\x99s Web sites, with some exceptions, do not focus on its\ncustomers and do not allow them easy access to DOI information\nand opportunities. We evaluated 70 DOI Web sites to determine\nwhether they applied best practices in 34 customer service areas\ncovering user help features such as search and index, service\nnavigation features including maps and events, and other user-\nfriendly attributes such as the capability to E-mail the Webmaster.\nWe concluded that overall DOI Web sites were adequate for 11\nfeatures, in need of improvement for 12 features, and inadequate\nfor 11 features (see Appendix 4 on page 28 for details).\n\nWe also compared DOI\xe2\x80\x99s home page with the Department of\nHealth and Human Service\xe2\x80\x99s (HHS) home page. This\ncomparison, Figures 5 and 6, demonstrates the difference between\na Web presence that is bureaucracy-centered (what the\ngovernment does \xe2\x80\x93 DOI) and one that is customer-centered (what\nthe government can do for the customer \xe2\x80\x93 HHS).\n\n\n\n\n                                                                  9\n\x0c                             BUREAUCRACY-CENTERED\n\n\n\n\n    DOI-focused      The site is organized by agency function and centers on what DOI does rather\n                     than what it can provide to its customers. DOI\xe2\x80\x99s services and opportunities\n                     cannot be located easily on its home page.\n    Complicated      DOI\xe2\x80\x99s home page is appealing but not functional for the customer. The tab\n    Web Site         pointer links (for example \xe2\x80\x9cEndangered Species\xe2\x80\x9d) provide helpful information,\n    Presentation     but not specific information on the services and opportunities provided\n                     throughout DOI. In addition, the mission of DOI is not easily found.\n    Slow Web         The home page was not designed with customers using 56K modems for\n    Site             Internet access. The home page takes more than a minute to download using a\n    Accessibility    56K modem connection because of the extensive use of graphics.\n    Complex          Extensive knowledge and effort is needed to search for information using DOI\xe2\x80\x99s\n    Search for       search function because it is limited to only bureaus\xe2\x80\x99 primary domains, such as\n    Information      nps.gov, usbr.gov, and usgs.gov. Much information exists in other DOI\n    and Services     domains that do not contain the bureaus\xe2\x80\x99 acronyms (for examples see Appendix\n                     3 on page 27). Also, the search function is only located on the home page. The\n                     customer is unable to perform a search from any of the other links on the home\n                     page. Rather, the customer must go back to the home page to perform the\n                     search.\n\nFigure 5. Department of the Interior\xe2\x80\x99s Home Page (Bureaucracy-Centered).\n\n\n\n\n                                                                                                       10\n\x0c                               CUSTOMER-CENTERED\n\n\n\n\n    Customer-        The site is organized by areas of interest to the customer and the services\n    focused          provided. HHS news releases are also included on the home page, but they\n                     are not the focal point of the site.\n    Functional       The home page is professional and conveys a business-like approach by\n    Web Site         focusing on the customer. The home page has a standardized design that\n    Presentation     includes its logo, mission, and navigation features, such as ability to ask\n                     questions and a site map.\n    Fast Web Site    The home page downloads in less than 15 seconds using a 56K modem\n    Accessibility    because of the limited use of graphics.\n\n    Easy Search      The search function is a standard feature on the top of the home page. It\n    for              allows the customer to perform a search on all HHS domains. There is also\n    Information      an extended search function that allows the customer to narrow down a search\n    and Services     of frequently asked questions by specific areas of information and services,\n                     such as Aging and Diseases and Conditions.\n\nFigure 6. Department of Health and Human Services\xe2\x80\x99 Home Page (Customer-Centered).\n\n\n\n\n                                                                                                    11\n\x0c12\n\x0cBUILDING ON DOI\xe2\x80\x99S EFFORTS\nThe goals of the President\xe2\x80\x99s Expanding Electronic Government (E-government) Initiative are to\nadd value to customers\xe2\x80\x99 experiences with government and for government to better serve\ncustomers\xe2\x80\x99 needs while improving government efficiency. A key to accomplishing these goals is\nuse of the Internet through World Wide Web technology. The purpose of a Web presence is to\nuse Web-based resources cost effectively, deliver high-quality services, meet the needs of\ncustomers, comply with policies, and help accomplish missions and objectives. In the 1990s, the\n\xe2\x80\x9cWorld Wide Web\xe2\x80\x9d was released, and since then, the number of Web sites has grown\nexponentially, from an estimated 600 sites in 1993 to a million in 1997 and the number of sites\ncontinues to grow.\n\n                                                        WEB PRESENCE ACTIVITIES\n\n                                   Improvements by DOI include:\nIMPROVEMENTS BEING\nMADE                                   \xc2\xbe Formalizing an E-government strategy team made\n                                         up of senior level managers from the various\n                                         program areas throughout DOI, Bureau and Office\n                                         Chief Information Officers (CIOs), and field\n                                         managers. The purpose of the team is to lead DOI\xe2\x80\x99s\n                                         transformation to a customer-centered electronic\n                                         service delivery provider, in accordance with\n                                         customer and industry expectations, by using\n                                         information technology (IT) to enable mission\n                                         accomplishment, and to develop an E-government\n                                         Strategic Plan.\n\n                                       \xc2\xbe Addressing Web and electronic government\n                                         requirements of the future in its Interior Enterprise\n                                         Architecture.\n\n                                       \xc2\xbe Beginning to consolidate Web servers and reducing\n                                         the numbers of Internet access gateways.\n\n                                       \xc2\xbe Implementing its policy requiring that all Web\n                                         servers be contained in a Demilitarized Zone\n                                         (DMZ).\n\n                                       \xc2\xbe Issuing policies to improve its IT security practices.\n\n                                       \xc2\xbe Initiating projects to consolidate the access to\n                                         information on some DOI Web sites to better\n                                         provide opportunities to customers.\n\n\n\n                                                                                                 13\n\x0c                            \xc2\xbe Considering the initiation of a project to implement a\n                              content management system.\n\n                         We found that some of the DOI\xe2\x80\x99s Web sites have features\nSOME WEB SITES PROVIDE\n                         which allow customers to easily locate specific information\nEASY ACCESS TO           or to query for information through various techniques. For\nINFORMATION              example, the U.S. Fish and Wildlife Service\xe2\x80\x99s home page\n                         allows the customer to select news articles by date and\n                         subject, the Bureau of Reclamation has a similar feature to\n                         aid customers in locating specific Reclamation manuals, and\n                         the Bureau of Land Management allows customers to\n                         submit requests and questions to the Bureau\xe2\x80\x99s Web team\n                         through a variety of electronic methods.\n\n                                               MORE NEEDS TO BE DONE\n\n                         Despite these efforts, we believe that DOI needs to redesign\n                         its Web presence to focus on the customer, enhance\n                         security, maintain privacy, reduce duplication, and, at the\n                         same time, better manage its costs. To aid DOI in this\n                         endeavor, we developed and presented in the next section of\n                         this report a framework for improvement based on best\n                         practices identified through our reviews of various Federal\n                         and state agencies\xe2\x80\x99 Web sites; Federal agencies\xe2\x80\x99 Web\n                         procedures and practices; and Office of Management and\n                         Budget, National Institute of Standards and Technology,\n                         and industry standards.\n\n\n\n\n                                                                                  14\n\x0cFRAMEWORK FOR IMPROVEMENT\nOur framework is based on a more centrally controlled and managed Web presence and focuses\non ways for DOI to enhance its processes to not only improve its management of costs and\nsecurity but also to aid in transforming its bureaucracy-centered Web presence to a customer-\ncentered Web presence.\n\n                         STARTING THE MANAGEMENT AND CONTROL PROCESS\n\n                                           Inventory Web resources, justify domains and sites, and\nGETTING STARTED                            implement management controls over these resources.\n                                           To accomplish these tasks, we suggest that DOI:\n\n                                             \xc2\xbe Inventory IP addresses, Web domains and sites,\n                                               and Web server operating systems and record the\n       .net and   .edu\n         .com      1%\n                         .org                  physical location of these resources. To help\n                          2%\n          3%                                   accomplish the inventory, DOI should issue a\n                                               moratorium on new Web domains and sites except\n                                               for urgent business reasons.\n\n                                             \xc2\xbe Discontinue use of .org, .net, .com or other non-\n                                               government domains where possible. If there is a\n                                .gov and\n                                               need to use non-government domains, these\n                                 .fed.us       should be supported by a business case and\n                                   94%\n                                               formally approved by the DOI CIO.\n  Figure 7. Distribution of DOI\xe2\x80\x99s Web        \xc2\xbe Implement contracts for maintaining all\n  Presence by Domain Type.\n                                               outsourced and hosted Web sites and ensure that\n  Six percent of DOI\xe2\x80\x99s Web domains are         the contract language adequately addresses\n  not government domains.                      security requirements, including requirements to\n                                               use DOI IP addresses, ensure that DOI\xe2\x80\x99s Web\n                                               content is protected, and make sure that system\n                                               configurations are consistent with DOI security\n                                               policies and practices.\n\n                                             \xc2\xbe Establish a position for and select a DOI Web\n                                               Master. The position should report directly to the\n                                               DOI CIO. The position\xe2\x80\x99s authority and\n                                               responsibilities should include issuing and\n                                               enforcing DOI policies and standards related to\n                                               Web resources, such as approving all new Web\n                                               domains, coordinating selection of content\n                                               management software solutions and portal\n                                               technologies, and Web server configuration.\n\n\n\n\n                                                                                                15\n\x0c                                                                     \xc2\xbe Require network management staff to coordinate\n                                                                       with the DOI Web Master when assigning IP\n                                                                       addresses for Web domains.\n\n                                                                     \xc2\xbe Establish a position for and select a DOI Content\n                                                                       Manager. We believe this position should be\n                                                                       located within the Immediate Office of the\n                                                                       Secretary to ensure DOI\xe2\x80\x99s Web sites appropriately\n                                                                       present the Secretary\xe2\x80\x99s message. In addition, this\n                                                                       position should issue and enforce policies to\n                                                                       control the format and style of DOI Web sites, to\n                                                                       establish an approval process for content\n                                                                       published on Web sites, and to control the\n                                                                       numbers of Web pages. This individual should\n                                                                       have the authority to disable and remove pages\n                                                                       from public access and manage information in\n                                                                       accordance with DOI records policies. The\n                                                                       Content Manager should also act as liaison\n                                                                       between the DOI Web Master and all levels of\n                                                                       program managers.\n\n                                                                     \xc2\xbe Determine the need for all existing domains, Web\nNEXT HURDLES                                                           sites, and Web pages and disable those that are\n                                                                       not needed, not functional, or not accessible.\n                                                                       Information on the Web should be based on the\n                                          USGS.gov\n                                            43%                        DOI enterprise lines of business. All DOI Web\n                                                                       sites should be justified by business cases that\n      USBR.gov\n        2%\n                                                          BLM.gov\n                                                            4%\n                                                                       include supporting metrics.\nOther DOI Web\n   Domains\n     15%                                              Departmental\n                                                                     \xc2\xbe Develop and implement DOI policies and\n                                                        Offices\n                                                         5%            standards to establish minimum controls for its\n            OSM.gov\n              1%\n                                MMS.gov\n                                            FWS.gov\n                                             26%\n                                                                       Web presence. These policies and standards\n                      NPS.gov\n                        3%\n                                  1%\n                                                                       should ensure compliance with Federal laws and\n                                                                       regulations. In addition, the policies should\n    Figure 8. Distribution of the Known\n    1,100 DOI domains.\n                                                                       address Web page format, standardization, and\n                                                                       content; training program for Web presence\n    Fifteen percent of DOI\xe2\x80\x99s domains do not                            management; Web security; and operational\n    reside within DOI and Bureau/Office                                procedures, such as change and configuration\n    specific domains.                                                  management. Policies should also include other\n                                                                       areas such as cost/benefit analysis, E-mail\n                                                                       inquiries, E-government initiatives, and hosting or\n                                                                       outsourcing Web sites.\n\n\n\n\n                                                                                                                       16\n\x0c             MOVING TO A CUSTOMER-CENTERED WEB PRESENCE\n                           \xc2\xbe Use the Web presence to focus on the customer by\nFOCUSING ON THE CUSTOMER     providing enhanced quality and availability of\n                             products, services, and opportunities; improved\n                             timeliness of information; better accessibility; and\n                             improved mission achievement. We suggest that\n                             DOI:\n\n                              o Identify the products, services, and\n                                opportunities that it offers customers, and\n                                identify those that could be made available\n                                through the Web.\n\n                              o Identify DOI customers and determine their\n                                wants and expectations.\n\n                              o Align or focus products, services, and\n                                opportunities toward customers. For example,\n                                on DOI\xe2\x80\x99s \xe2\x80\x9cCollaborative Efforts - Conserving\n                                Endangered Species through Partnerships\xe2\x80\x9d it\n                                informs customers of what the results were of\n                                partnership activities instead of how the\n                                customer could become a partner in this\n                                conservation program.\n\n                           \xc2\xbe Centrally locate access points to the existing\n                             products, services, and opportunities that\n                             customers want based on the results of the above\n                             suggestions. DOI should consider portal\n                             technology so that a customer who is not familiar\n                             with DOI can easily find specific information\n                             without extensive knowledge of DOI or the Web.\n                             (See Figure 3 on page 5 for business activities of\n                             DOI that can be found throughout DOI\xe2\x80\x99s Web\n                             presence at multiple access points.)\n\n                            \xc2\xbe Review current Web sites and pages for the\n                              characteristics listed below. Based on the results\n                              of the review, take action either by correcting the\n                              site or page or removing it. The review should\n                              determine whether:\n\n                              o Information is timely.\n\n\n                                                                               17\n\x0c                                o Information is accurate, consistent, and not\n                                  redundant.\n                                o Web pages are accessible within a reasonable\n                                  amount of time via any connectivity method.\n                                o Sites are accessible to all customers, to the\n                                  maximum extent possible, by meeting Section\n                                  508 of the Rehabilitation Act Amendments of\n                                  1998.\n                                o Privacy policies, including children\xe2\x80\x99s privacy,\n                                  are easily reached on any Web access point.\n                                o Information is not requested and collected\n                                  from children without parental consent.\n                                o Customers are notified upon departure from\n                                  DOI sites.\n                                o Persistent cookies are not used without the\n                                  required approvals. The DOI CIO should\n                                  disable Web sites that contain persistent\n                                  cookies until the DOI Web Master is provided\n                                  assurance that: (1) sites give clear and\n                                  conspicuous notice of the use of persistent\n                                  cookies; (2) there is a compelling need to\n                                  gather the data on the site; (3) appropriate and\n                                  publicly disclosed privacy safeguards exist for\n                                  handling any information derived from the\n                                  cookies; and (4) appropriate bureau or office\n                                  heads or the Director of DOI\xe2\x80\x99s National\n                                  Business Center have formally approved the\n                                  use of each persistent cookie.\n\n                          See Appendix 4 on page 28 for the results of our review\n                          of some of these features on selected DOI Web sites.\n\n                          Develop an E-government strategic plan to use IT to\nESTABLISHING A STRATEGY   transform the way DOI works to improve services to its\n                          customers. DOI should complete a strategic plan that\n                          includes:\n\n                            \xc2\xbe E-government mission and vision that aligns with\n                              DOI\xe2\x80\x99s Strategic Plan, IT Strategic Plan, and the\n                              Interior Enterprise Architecture objectives.\n\n                            \xc2\xbe Applicable legal requirements including security,\n                              privacy, and records management.\n\n                            \xc2\xbe Goals and associated objectives supporting the\n                              mission and vision.\n\n\n\n                                                                               18\n\x0c                                           \xc2\xbe Metrics to measure performance for achieving the\n                                             goals. These metrics should, at a minimum,\n                                             measure:\n\n                                               o Use of resources to maintain Web presence.\n                                               o How well the Web sites meet the needs of\n                                                 customers.\n                                               o How much the Web sites are contributing to\n                                                 customers taking advantage of the\n                                                 opportunities offered through DOI\xe2\x80\x99s Web\n                                                 presence and enabling DOI to better\n                                                 accomplish its mission.\n\n                                           \xc2\xbe Short- and long-term steps and success factors to\n                                             achieve the desired outcomes.\n\n                                         A best practice contributing to transforming from a\nENSURING TRANSFORMATION                  bureaucracy-centered to a customer-centered Web\nCONTINUES                                presence is developing and implementing a strategy for\n                                         managing Web content and design to focus on\n                                         customers\xe2\x80\x99 wants. To achieve this transformation, we\n                                         suggest that DOI develop Web content management and\n                                         design policies and procedures that include:\n\n                                           \xc2\xbe Periodically reassessing what customers want\n                                             using methodologies such as analyzing: (1)\n                                             systems logs, for example, to determine the\n                                             numbers of times and the amounts of time each\n                                             site is visited or is accessed; (2) key word\n                                             searches; (3) frequently requested information;\n                                             and (4) online customer satisfaction surveys.\n\nFigure 9. Cycle To Ensure Web Presence     \xc2\xbe Creating a uniform look across DOI to include a\nRemains Customer Focused.                    standardized Web site design. The design should\n                                             ensure that when Web sites are accessed the\n                                             customer is made aware that it is a DOI Web site.\n                                             While bureau-specific information can be\n                                             provided, it should not confuse the customer that\n                                             they are somewhere other than DOI. This can be\n                                             accomplished by developing templates to\n                                             standardize the look and feel of DOI Web sites\n                                             and pages as well as filtering out unwanted\n                                             content.\n\n\n\n\n                                                                                               19\n\x0c\xc2\xbe Periodically evaluating the accessibility of the\n  Web sites for broken links, orphan pages,\n  connectivity issues, and user friendliness features,\n  and ensuring deficiencies are corrected.\n\n\xc2\xbe Ensuring information that is posted on DOI Web\n  sites is consistent, up-to-date, and not redundant.\n\n\xc2\xbe Moving or eliminating unnecessary or unwanted\n  information not of interest to the public customer.\n  Pertinent information for DOI employee users\n  should be placed on a DOI intranet.\n\n\xc2\xbe Improving the efficiency of maintaining and\n  posting information and the ability for users to\n  customize the information they want by requiring,\n  to the extent possible, pages to be dynamic (where\n  information is found through queries to a\n  database) rather than static (which is similar to\n  hard-copy information where changes require\n  rewriting the Web page).\n\n\xc2\xbe Defining what is sensitive information that should\n  not be posted on the public Web sites.\n\n\xc2\xbe Standardizing all Web sites that are designed for\n  children to include requirements for parental\n  consent before information is requested and\n  collected from children under the age of 13 thus\n  complying with the Children\xe2\x80\x99s Online Privacy\n  Protection Act.\n\n\xc2\xbe Ensuring privacy statements and Freedom of\n  Information Act [5 U.S.C. \xc2\xa7 552 as amended by\n  Public Law 104-231, 110 Stat. 3048] procedures\n  are accessible from each Web page and ensuring\n  that disclaimer statements are consistent with the\n  DOI Information Quality Guidelines.\n\n\xc2\xbe Ensuring information is grouped around lines of\n  business and services and allowing access through\n  portal technology rather than through multiple\n  sites.\n\n\n\n\n                                                    20\n\x0c                                             ENHANCING SECURITY\n\n                    Implement procedures to protect information and servers\nNEAR-TERM           from loss, misuse, or modification and unauthorized\n                    access through minimizing vulnerabilities and mitigating\n                    threats to an acceptable level. To enhance the security of\n                    its Web sites, DOI should:\n\n                      \xc2\xbe Inventory Internet access points and eliminate or\n                        consolidate to reduce the total numbers of Internet\n                        access points throughout DOI.\n\n                      \xc2\xbe Document the Internet access points on network\n                        topologies, including connections to hosted and\n                        outsourced servers.\n\n                      \xc2\xbe Ensure that the required security architecture,\n                        which should include DOI Web sites and those\n                        sites that are outsourced and hosted, are in a DMZ.\n\n                      \xc2\xbe Develop a naming standard for hosts or network\n                        devices to prevent the easy identification of\n                        operating systems or functions from the Internet.\n                        For example, a device with the name \xe2\x80\x9cdoi-firewall-\n                        sw\xe2\x80\x9d could easily be identified as a firewall.\n\n                      \xc2\xbe Perform periodic risk assessments on Internet\n                        access points and implement appropriate controls\n                        to protect internal networks.\n\n                      \xc2\xbe Perform risk assessments and privacy impact\n                        assessments prior to deployment of new Web sites.\n\n                      \xc2\xbe Ensure Web server software and related operating\n                        systems are updated with the most recent patches\n                        or fixes. (See Figure 4 on page 8 for current\n                        versions available of Web server software and\n                        examples of what is used on DOI Web servers.)\n\n                      \xc2\xbe Establish configuration standards for DOI Web\nKEEPING DOI\xe2\x80\x99S WEB       architecture and develop configuration\nPRESENCE SECURE         management policies and procedures.\n\n\n\n\n                                                                           21\n\x0c                                         \xc2\xbe    Consolidate, physically and logically, DOI and\n                                              bureau Web servers to the maximum extent\n                                              possible.\n\n                                         \xc2\xbe    Ensure DOI\xe2\x80\x99s Web presence is addressed in\n                                              security plans and is incorporated into the\n                                              Certification and Accreditation process for DOI\xe2\x80\x99s\n                                              networks.\n\nUsing our framework, DOI should be able improve its Web presence by focusing on the\ncustomer, enhancing security, maintaining privacy, reducing duplication, and, in the long term\nlowering costs.\n\n\n\n\nRECOMMENDATION\nWe recommend that the DOI CIO develop and implement a plan, based on the framework\nidentified in this report, for centrally controlling and managing DOI\xe2\x80\x99s Web presence.\n\n\n\n\n                                                                                                 22\n\x0c                                                                                  APPENDIX 1\n\n\n                   EVALUATION SCOPE AND METHODOLOGY\n\nSCOPE OF EVALUATION\nOur evaluation included all the Department of the Interior\xe2\x80\x99s (DOI) and its components\xe2\x80\x99 (bureaus\nand offices) Web sites and pages that were available for access by the public and were connected\nto the Internet during November 2002 through March 2003. Web sites that were not available\nand therefore not included in our evaluation were those of the Bureau of Indian Affairs, the\nOffice of Hearing and Appeals, and the Office of Special Trustee for American Indians. In\naddition, we limited our review of the Office of Indian Education .edu Web sites to determining\nthe numbers of domains and Web sites. Office of Indian Education .edu Web sites were not\nsubjected to Web presence analysis because they serve a different function than the other DOI\nsites. Finally, we limited our review to only http:// and https:// which are the basic means for\ncustomers to interact with the World Wide Web and to download requested information.\n\nWe reviewed DOI and its components\xe2\x80\x99 policies and procedures related to managing and\ncontrolling Web sites. We also interviewed DOI personnel responsible for maintaining Web\nsites and servers. We evaluated DOI processes and its publicly available Web sites and\ncompared these to best practices that we developed from our reviews of various Federal and state\nagencies Web sites; Federal agencies\xe2\x80\x99 Web procedures and practices; and Office of Management\nand Budget, National Institute of Standards and Technology, and industry standards.\n\nWe performed this evaluation in accordance with the \xe2\x80\x9cGovernment Auditing Standards\xe2\x80\x9d issued\nby the Comptroller General of the United States. Accordingly, we included tests and other\nprocedures that were considered necessary under the circumstances.\n\nWEB DOMAINS AND SERVER REVIEW\n\nTo identify DOI\xe2\x80\x99s domains and Web servers and to determine whether security was adequate, we\nused several network surveying software tools to identify and analyze DOI\xe2\x80\x99s and its components\xe2\x80\x99\ndomains, Web sites, servers, and networks.\n\nWe used Web crawler software programs to identify DOI\xe2\x80\x99s Web domains and sites and Web site\nconfigurations. We also used these tools to identify Web sites hosted by DOI that may be\nunauthorized and DOI Web sites that were hosted outside of DOI. From this information, we\nidentified DOI\xe2\x80\x99s IP addresses related to DOI\xe2\x80\x99s Web presence. In addition, we used a network-\nmapping tool to identify hosts that were not identified by the Web crawler tool. This tool also\nprovided us with lists of hosts, servers, and other network devices such as routers, switches,\nfirewalls, and printers that were identifiable from the Internet.\n\n\n\n\n                                                                                             23\n\x0c                                                                                  APPENDIX 1\n\n\nWEB SITE REVIEW METHODOLOGY\n\nWe developed a checklist based on identified best practices for Web site content and features\n(see Appendix 4 on page 28 for results of our evaluation). We evaluated these features on the\nfollowing selected 70 Web sites:\n\n    \xc2\xbe 56 tab pointer links from the eight tabs listed on www.doi.gov \xe2\x80\x93 Collaborative Efforts,\n      American Indians, Fish/Wildlife, National Parks, Public Lands, Energy, Science, and\n      Water\n    \xc2\xbe 9 bureau and DOI home pages\n    \xc2\xbe 5 judgmentally selected DOI and bureau Web sites\n\n                                    WEB SITES REVIEWED\n\n                                                              Number of\n                                                                 Sites\n                         Bureau                                Reviewed\n                         U.S. Geological Survey (USGS)            23\n                         National Park Service (NPS)               9\n                         Bureau of Land Management (BLM)           8\n                         Minerals Management Service (MMS)         8\n                         U.S. Fish and Wildlife Service (FWS)      7\n                         Department of the Interior (DOI)          7\n                         Bureau of Reclamation (BOR or USBR)       5\n                         BLM and Forest Service                    1\n                         National Business Center (NBC)            1\n                         Office of Surface Mining Reclamation\n                                                                   1\n                         and Enforcement (OSM)\n                                                       Total    70\n\n\nIn addition to the 70 sites, we judgmentally selected numerous other DOI Web sites and pages.\nWe reviewed these Web sites and pages for features, such as redundant, duplicated, sensitive,\nand inconsistent information; ease in accessing information; compliance with Federal laws and\nregulations; hosting other organizations\xe2\x80\x99 Web sites; and Web content and site design. Further,\nwe evaluated business cases for selected DOI Web sites, if business cases were developed, and\ncontracts and costs for DOI Web sites hosted on third-party Web servers.\n\n\n\n\n                                                                                                 24\n\x0c                                                                                    APPENDIX 2\n\n\n            DIAGRAM OF THE DEPARTMENT OF THE INTERIOR\xe2\x80\x99S\n                           WEB PRESENCE\n\n\n\n\n                                            .gov            Top Level Domain\n\n\n\n\n                                           doi.gov              Second Level\n\n                                                                                       Domains\n                                                                                        (1,100)\nWeb Sites\n (31,000)\n\n\n                                        smis.doi.gov                 Subordinate\n                                                                       Levels\n\n\n\n\n                                smis.doi.gov/KEN/KEN.htm                            Subdirectories\n                                                                                       or Files\n\n\n\n                                                                                           Pages\n                                                                                         (3 million\n                        smis.doi.gov/ken/acc_code/meta_activity.asp                          to\n                                                                                          5 million)\n\n\n\n\n             Infrastructure (networks and devices {routers, switches, firewalls},\n                         Web Servers [500], and operating systems)\n\n\n\n                                                                                                  25\n\x0c26\n\x0c                                                                                 APPENDIX 3\n\n\n                            DEPARTMENT OF THE INTERIOR\'S\n                                \xe2\x80\x9cOTHER\xe2\x80\x9d WEB SITES\n\nThe Department of the Interior\xe2\x80\x99s (DOI) Web presence includes approximately 1,100 domains\n(addresses). Of these addresses, 15 percent do not include the \xe2\x80\x9cDOI\xe2\x80\x9d or bureau, such as \xe2\x80\x9cBLM,\xe2\x80\x9d\n\xe2\x80\x9cNPS,\xe2\x80\x9d or \xe2\x80\x9cUSBR,\xe2\x80\x9d acronyms as shown in Figure 1 on page 1 of the report. Examples of the\n\xe2\x80\x9cOther\xe2\x80\x9d Web sites follow:\n\n\n  americasoutdoors.gov           handsontheland.gov              partnersinflight.org\n  anstaskforce.gov               historicpreservation.gov        pbin.nbii.gov\n  baca.gov                       icbemp.gov                      permits.gov\n  bacaranch.gov                  industrialecology.gov           piedrasblancas.gov\n  bianifc.org                    infms.gov                       pnwin.nbii.gov\n  bioeco.gov                     interior.gov                    recreation.gov\n  birdcon.nbii.gov               invasivespecies.gov             redondopeak.gov\n  cain.nbii.gov                  invasivespecies.nbii.gov        reo.gov\n  cal-parks.ca.gov               lacoast.gov                     safenet.nifc.gov\n  cesu.org                       landfire.gov                    safety.oas.gov\n  cleanwater.gov                 lewisandclark200.gov            sain.nbii.gov\n  clear.search.gov               liss.org                        science.gov\n  clearinghouse1.fgdc.gov        mbr.nbs.gov                     sciencerules.gov\n  clearinghouse2.fgdc.gov        mesc.nbs.gov                    seagrantnews.org\n  clearinghouse3.fgdc.gov        metadata.nbii.gov               search.nbii.gov\n  clearinghouse4.fgdc.gov        mrlc.gov                        senrlg.gov\n  cswgcin.nbii.gov               msc.nbs.gov                     sierranevadawild.gov\n  ec21.gov                       nationalatlas.gov               sierrawildbear.gov\n  ein.nbii.gov                   nbii.gov                        snow.water.ca.gov\n  emtc.nbs.gov                   nbs.gov                         swin.nbii.gov\n  eric.ed.gov                    ndep.gov                        urban.nbii.gov\n  far.nbii.gov                   nemi.gov                        usfilm.gov\n  fgdc.gov                       nepa.gov                        usitc.gov\n  firejobs.gov                   nfpors.gov                      usparkpolicenyfo.gov\n  fireleadership.gov             nifc.gov                        vallegrande.gov\n  frogweb.gov                    nifc.org                        vallesgrandenationalpreserve.gov\n  gai.fgdc.gov                   nigc.gov                        vcnp.gov\n  gapanalysis.gov                nrin.nbii.gov                   volunteer.gov\n  gcmrc.gov                      nrtc.gov                        westnilevirus.nbii.gov\n  genetics.nbii.gov              nwcg.gov                        wildlandfire.gov\n  geocommunicator.gov            nwfireplan.gov                  wildlandfires.gov\n  geomac.gov                     oas.gov                         wildlifedisease.nbii.gov\n  geo-one-stop.gov               oregontrail.gov                 windowsintowonderland.org\n  govworks.gov                   osti.gov                        yourland.gov\n\n\n\n\n                                                                                             27\n\x0c                                                                                          APPENDIX 4\n\n\n                          SCORECARD OF THE\n                 DEPARTMENT OF THE INTERIOR\xe2\x80\x99S WEB SITES\n\nWe developed a rating system to evaluate specific features on Department of the Interior\xe2\x80\x99s (DOI)\nWeb sites. Our ratings were determined from information collected from 70 DOI Web sites\nbased on Office of Inspector General (OIG)-developed checklists containing specific best\npractices attributes. If the Web site had a specific attribute, it received a score of 5 and if it did\nnot have the attribute it received a 0. Answers, such as \xe2\x80\x9cpossibly,\xe2\x80\x9d \xe2\x80\x9csomewhat,\xe2\x80\x9d or \xe2\x80\x9climited,\xe2\x80\x9d\nreceived a score of 2.5. In addition to determining a rating score for each attribute, we developed\na color-coded system to better depict the areas that were adequate, in need of improvement, or\ninadequate. The following table provides the color code, the corresponding rating interval, and\ndescription.\n\n                                               Rating\n                                               Score             Description\n                                                  0-2.0 Inadequate\n                          COLOR               2.01-3.75 In Need of Improvement\n                           KEY                   3.76-5 Adequate\n                                                           Not Applicable\n\nThe following table is a summary of the results of our evaluation of DOI\xe2\x80\x99s Web sites by an OIG-\ndetermined sample group: DOI Tab Pointer Links found on DOI\xe2\x80\x99s home page, DOI and bureau\nhome pages, and other judgmentally selected sites. The features we evaluated were categorized\nby User Help Features, Service Navigation Features, and Other User Friendly Attributes.\n\n                                                             DOI Tab\n                                                                         Home    Other   Overall\n                                                             Pointer\n                                                                         Pages   Sites   Score\n                                                              Links\n          User Help Features\n            1. Comments and Feedback\n            2. Search\n            3. Index\n            4. Site Map\n            5. About the Site\n            6. Frequently Asked Questions (FAQ)\n            7. Help\n                  Overall Ranking for User Help Features\n          Service Navigation Features\n            8. Welcome\n            9. Just For Kids\n            10. Maps\n            11. In the Newsroom/In the News\n            12. Freedom of Information Act (FOIA)\n            13. Events\n\n\n\n                                                                                                   28\n\x0c                                                                                APPENDIX 4\n\n                                                     DOI Tab\n                                                               Home    Other   Overall\n                                                     Pointer\n                                                               Pages   Sites   Score\n                                                      Links\n  14. What\'s New\n  15. About Services\n  16. Links to Other Agencies/Regions\nOverall Ranking for Service Navigation Features\nOther User Friendly Attributes\n  17. Page does not link to intranet log-in\n  18. Duplicate information not found on pages\n   tested\n  19. Information was current or not expired\n  20. Contact information - Phone number and\n   addresses available\n  21. Obvious link to contact information\n  22. No personally sensitive information on page\n  23. Link to Privacy Policy statement\n  24. External links with proper exit notices\n  25. No persistent cookies\n  26. Link to Disclaimer statement\n  27. Site compliant Section 508 of the\n   Rehabilitation Act\n  28. Page links to next hierarchy (within Bureau)\n  29. Home page has link to DOI\n  30. Customers can E-mail the Webmaster\n  31. Customers can E-mail the Pagemaster\n  32. Customers can E-mail other individuals\n  33. Foreign language access\n  34. Easy to use and accessible\n\n\n\n\n                                                                                         29\n\x0c30\n\x0c                           GLOSSARY OF TERMS USED\n                                               A-D\n\nCOOKIE\n\nA message given to a Web browser by a Web server. The browser stores the message in a text\nfile on the users\xe2\x80\x99 computers. The message is then sent back to the server each time the browser\nrequests a page from the server. The main purpose of cookies is to identify users and possibly\nprepare customized Web pages for them. Generally, there are two types of cookies, session and\npersistent. The session cookie exists only when the user is browsing the Internet. The persistent\ncookie exists during the time the user is browsing the Internet as well as after the user closes the\nbrowser.\n\nDMZ\n\nA Demilitarized Zone is a network configuration used to provide security while allowing Internet\ntraffic to access services such as a Web site (http), file transport protocol (FTP) servers,\nelectronic mail (E-mail), and Domain Name Servers (DNS). The DMZ is the first line of defense\nbetween the Internet and an organization\xe2\x80\x99s internal networks and is usually a combination of\nfirewalls and other computer hardware or software devices.\n\nDOMAIN\n\nA domain is a set of network addresses that is organized in levels. The top level identifies\npurpose commonality (for example, the organization that the domain covers such as \xe2\x80\x9c.gov\xe2\x80\x9d).\nThe second level identifies a unique place within the top level domain and is equivalent to a\nunique address (such as \xe2\x80\x9cdoi.gov\xe2\x80\x9d) on the Internet. Lower levels on the domain may also be\nused (such as \xe2\x80\x9csmis.doi.gov).\n\n                                               E-H\nFIXES \xe2\x80\x93 SEE PATCHES\n\nHOST\n\nA computer that is attached to a computer communications network that can use services\nprovided by the network to exchange data with other attached computers and networks.\n\nHTTP\n\nHypertext Transfer Protocol is the standard Internet Protocol for the exchange of information\nusing World Wide Web (Web) technology.\n\nHTTPS\n\nAn extension of the Hypertext Transfer Protocol that is designed to transmit individual messages\nsecurely.\n\n                                                                                                  31\n\x0c                                                I-L\n\nINTERNET\n\nThe Internet is a network of networks. It is a system of linked computer networks, international\nin scope, that facilitates data transfer and communication services, such as remote login, file\ntransfer (FTP), electronic mail (E-mail), newsgroups, and the World Wide Web.\n\nINTERNET ACCESS GATEWAYS OR POINTS\n\nA network device interface that connects the internal network and the Internet to provide users\nconnected to the internal private network access to the Internet. It allows traffic both ways and it\nis usually referred to as a gateway.\n\nIP ADDRESS\n\nIs the abbreviation for Internet Protocol address commonly referred to as an IP. It is a numeric\naddress that is given to servers and hosts connected to the Internet. For servers, it is translated\ninto a domain name by a Domain Name Server (DNS). For hosts, it is assigned by the Internet\nService Provider (ISP).\n\n                                               M-P\n\nNETWORK DEVICE\n\nAny machine or component that attaches to a communications network. Examples of network\ndevices include servers, firewalls, routers, switches, hubs, bridges, and modems.\n\nORPHAN PAGE\n\nThe name for a Web page that has been abandoned but still remains available.\n\nPATCH\n\nA supplemental software code that, when installed to the original software program, fixes\nproblems (bug). A patch can usually be downloaded off the Internet in order to fix a software\nproblem or security vulnerability.\n\nPORTAL TECHNOLOGY\n\nA technology strategy for facilitating the dissemination of information, providing self-service\ncapabilities, and improving communications and interaction with and in between customers.\n\n\n\n\n                                                                                                      32\n\x0c                                               Q-T\n\nTHREAT\n\nA potential for violation of security, which exists when there is a circumstance, capability,\naction, or event that could breach security and cause harm. That is, a threat is a possible danger\nthat might exploit a vulnerability. A threat can be either "intentional" (for example, an individual\ncracker or a criminal organization) or "accidental" (for example, the possibility of a computer\nmalfunctioning or natural disaster such as an earthquake, a fire, or a tornado).\n\nTOPOLOGY\n\nThe shape of a local-area network (LAN) or other communications system network. Topologies\nare either physical or logical. Three basic topologies are shown below:\n\n\n\n\n                                               U\xe2\x80\x93Z\nURL\n\nAbbreviation of Uniform Resource Locator, it is the global address of documents and other\nresources on the World Wide Web. The first part of the address indicates what protocol to use,\nfor example http, and the second part specifies the IP address or the domain name where the\nresource is located.\n\nFor example, the two URLs below point to two different files at the domain usbr.gov. The first\nspecifies an executable file that should be fetched using the File Transfer Protocol; the second\nspecifies a Web page that should be fetched using the Hypertext Transfer Protocol:\n\n                        ftp://ftp.usbr.gov/stuff.doc\n                        http://www.usbr.gov/main/index.html\n\nVULNERABILITY\n\nA flaw or weakness in a system\'s design, implementation, or operation and management that\ncould be exploited to violate the system configured security policy.\n\n                                                                                                   33\n\x0cWEB CRAWLER (ALSO KNOWN AS WEB SPIDER)\n\nA program that automatically fetches Web pages. Crawlers or spiders are used to feed pages to\nsearch engines. Because most Web pages contain links to other pages, a crawler can start almost\nanywhere. As soon as the crawler sees a link to another page, it goes off and fetches that page.\nLarge search engines, like Alta Vista, have many crawlers working in parallel.\n\nWEB PAGE\n\nA document on the World Wide Web. Every Web page is identified by a unique URL.\n\nWEB PRESENCE\n\nAn organizations\xe2\x80\x99 established World Wide Web existence, through Web sites or a collection of\nWeb files. It includes all components needed to provide the information published or posted on\nWeb sites to be accessed or used by customers.\n\nWEB SERVER\n\nA Web server or Internet server is a computer that stores files of various types and makes them\navailable over the Internet. A Web server stores the Web pages and provides them to users using\nWeb "browser" software via the Internet.\n\nWEB SITE\n\nA location on the World Wide Web. Each Web site contains a home page, which is the first\ndocument users see when they enter the site. The site might also contain additional documents\nand files that may also be considered Web sites. A site can be owned and managed by an\nindividual, company, or organization. This term is frequently used to identify anything located\non the World Wide Web including a Web domain or a Web page within a domain.\n\nWORLD WIDE WEB\n\nA hypertext-based system for finding and accessing Internet-based data and information\nresources. It is capable of providing the public with user-friendly graphics-based access to\ninformation on the Internet. It is the most popular means for storing and linking Internet-based\ninformation.\n\n\n\n\n                                                                                                   34\n\x0c\x0c                               How to Report\n                   Fraud, Waste, Abuse and Mismanagement\n\nFraud, waste, and abuse in government are the concern of everyone \xe2\x80\x93 Office of Inspector\nGeneral staff, Departmental employees, and the general public. We actively solicit\nallegations of any inefficient and wasteful practices, fraud, and abuse related to\nDepartmental or Insular Area programs and operations. You can report allegations to us\nby:\n             Mail:         U.S. Department of the Interior\n                           Office of Inspector General\n                           Mail Stop 5341-MIB\n                           1849 C Street, NW\n                           Washington, DC 20240\n\n             Phone:        24-Hour Toll Free                 800-424-5081\n                           Washington Metro Area             202-208-5300\n                           Hearing Impaired (TTY)            202-208-2420\n                           Fax                               202-208-6081\n\n             Internet:     www.oig.doi.gov/hotline_form.html\n\n\n\n\n                          U.S. Department of the Interior\n                            Office of Inspector General\n                                1849 C Street, NW\n                              Washington, DC 20240\n                                     www.doi.gov\n                                    www.oig.doi.gov\n\x0c'